用PHP重命名图像文件

Question

I just want to make sure I'm doing this right. This is a simple upload class. I need to change the below code to rename the actual image file, with a variable name (a Joomla user id and keep the extension of course. It's easy to get the logged in user id. So my image filename before upload would be whatever the user had (usersimagename.jpg) and have it changed to a numeric userid.ext like (62.png) populated by joomla's user variable.

<?php

$uploaddir = $_REQUEST['path'];
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "success";
} else {
// WARNING! DO NOT USE "FALSE" STRING AS A RESPONSE!
// Otherwise onSubmit event will not be fired
echo "error";
 }

 ?>

Answer 1

If I understand your question right you want to keep the file extension while changing the actual name for storage. I don't know the Joomla variable but something like this should work

<?php
    $ext = strrchr($_FILES['userfile']['name'],".");

    $uploadfile = $uploaddir . $JOOMLAID . $ext;
?>

Then follow this up with the rest of your code.

You could also substitute $JOOMLAID with whatever generated name you can think of.

Answer 2

The code itself is operationally fine, but logistically is a nightmare. You're allowing the user to specify both a path AND filename for the final storage location. Consider what happens if a malicious user gets into your site. They can trivially replace ANY file on your server that your webserver's userID has access to.

eg

$_REQUEST['path'] = '/etc/';
$_FILES['userfile']['name'] = 'passwd';

or

$_REQUEST['path'] = 'c:\windows\system32\';
$_FILES['userfile']['name'] = 'ntoskrnl.exe';

while these are just shock-value examples, and not likely to be modifiable by your webserver, it is an example of how easily your code will allow someone to totally pwn your server.